Certificate to ISAKMP Profile Mapping

The Certificate to ISAKMP Profile Mapping feature enables you to assign an Internet Security Association and Key Management Protocol (ISAKMP) profile to a peer on the basis of the contents of arbitrary fields in the certificate. In addition, this feature allows you to assign a group name to those peers that are assigned an ISAKMP profile.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see
Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to
www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Prerequisites for Certificate to ISAKMP Profile Mapping

You should be familiar with configuring certificate maps.

You should be familiar with configuring ISAKMP profiles.

Restrictions for Certificate to ISAKMP Profile Mapping

This feature is not applicable if you use Rivest, Shamir, and Adelman (RSA)-signature or RSA-encryption authentication without certificate exchange. ISAKMP peers must be configured for RSA-signature or RSA-encryption authentication using certificates.

IPsec with two trustpoints enrolled in the same Certificate Authority (CA) server is not supported. When there are two or more ISAKMP profiles, each having a different trustpoint enrolled in the same CA server, the responder selects the last global trustpoint. (Trustpoints are selected in the reverse order in which they are defined globally). For the IPsec tunnel establishment to be successful for peers, the trustpoint selected by the initiator should match the trustpoint selected by the responder. All other IPsec tunnels will fail to establish connection if the trustpoints do not match.

Information About Certificate to ISAKMP Profile Mapping

Certificate to ISAKMP Profile Mapping Overview

Prior to Cisco IOS Release 12.3(8)T, the only way to map a peer to an ISAKMP profile was as follows. The ISAKMP identity field in the ISAKMP exchange was used for mapping a peer to an ISAKMP profile. When certificates were used for authentication, the ISAKMP identity payload contained the subject name from the certificate. If a CA did not provide the required group value in the first Organizational Unit (OU) field of a certificate, an ISAKMP profile could not be assigned to a peer.

Effective with Cisco IOS Release 12.3(8)T, a peer can still be mapped as explained above. However, the Certificate to ISAKMP Profile Mapping feature enables you to assign an ISAKMP profile to a peer on the basis of the contents of arbitrary fields in the certificate. You are no longer limited to assigning an ISAKMP profile on the basis of the subject name of the certificate. In addition, this feature allows you to assign a group to a peer to which an ISAKMP profile has been assigned.

How Certificate to ISAKMP Profile Mapping Works

The figure below illustrates how certificate maps may be attached to
ISAKMP profiles and assigned group names.

Figure 1. Certificate Maps Mapped for Profile Group Assignment

A certificate map can be attached to only one ISAKMP profile although
an ISAKMP profile can have several certificate maps attached to it.

Certificate maps provide the ability for a certificate to be matched
with a given set of criteria. ISAKMP profiles can bind themselves to
certificate maps, and if the presented certificate matches the certificate map
present in an ISAKMP profile, the peer will be assigned the ISAKMP profile. If
the ISAKMP profile contains a client configuration group name, the same group
name will be assigned to the peer. This ISAKMP profile information will
override the information in the ID_KEY_ID identity or in the first OU field of
the certificate.

Assigning an ISAKMP Profile and Group Name to a Peer

To assign an ISAKMP profile to a peer on the basis of arbitrary fields in the certificate, use the matchcertificate command after the ISAKMP profile has been defined.

To associate a group name with an ISAKMP profile that will be assigned to a peer, use the clientconfigurationgroup command, also after the ISAKMP profile has been defined.

How to Configure Certificate to ISAKMP Profile Mapping

Mapping the Certificate to the ISAKMP Profile

To map the certificate to the ISAKMP profile, perform the following steps. This configuration will enable you to assign the ISAKMP profile to a peer on the basis of the contents of arbitrary fields in the certificate.

Mapping a Certificate to an ISAKMP Profile Verification Example

The following examples show that a certificate has been mapped to an ISAKMP profile. The examples include the configurations for the responder and initiator, showcommand output verifying that the subject name of the certificate map has been configured, and debug command output showing that the certificate has gone through certificate map matching and been matched to the ISAKMP profile.

Responder Configuration

crypto pki certificate map cert_map 10
! The above line is the certificate map definition.
subject-name co ou = green
! The above line shows that the subject name must have “ou = green.”
!
crypto isakmp profile certpro
! The above line shows that this is the ISAKMP profile that will match if the certificate of the peer matches cert_map (shown on third line below).
ca trust-point 2315
ca trust-point LaBcA
match certificate cert_map
initiate mode aggressive

RFCs

Technical Assistance

Description

Link

The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

Feature Information for Certificate to ISAKMP Profile Mapping

The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to
www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Table 1 Feature Information for Certificate to ISAKMP Profile Mapping

Feature Name

Releases

Feature Information

Certificate to ISAKMP Profile Mapping

12.3(8)T

12.2(33)SRA

12.2(33)SXH

The Certificate to ISAKMP Profile Mapping feature enables you to assign an Internet Security Association and Key Management Protocol (ISAKMP) profile to a peer on the basis of the contents of arbitrary fields in the certificate. In addition, this feature allows you to assign a group name to those peers that are assigned an ISAKMP profile.